Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[User Accounts] Fix edge-case that gave a confusing error message #5956

Merged
merged 1 commit into from
Jan 29, 2020
Merged

[User Accounts] Fix edge-case that gave a confusing error message #5956

merged 1 commit into from
Jan 29, 2020

Conversation

johnsaigle
Copy link
Contributor

Brief summary of changes

When both the password and email fields were empty, an error was displayed saying "Your password cannot match your email address"

While technically accurate, this isn't actually helpful for a user, especially since our checkbox option "Generate new password" requires leaving the password field blank.

Testing instructions (if applicable)

  1. Verify the confusing error message in the linked Issue.
  2. On this branch, do the same thing. The password error won't appear.
  3. Repeat 2. but uncheck 'Generate new password'. Ensure that the error message "Please specify password or click Generate new password" is displayed instead.

Link(s) to related issue(s)

@johnsaigle johnsaigle added the Area: UI PR or issue related to the user interface label Jan 27, 2020
@johnsaigle
Copy link
Contributor Author

@lingma Would you mind reviewing?

@lingma
Copy link
Contributor

lingma commented Jan 28, 2020

What about (!empty($values['Password_hash']) && !empty($values['Email']) && in_array($values['Email'], $values['Password_hash']))?

@johnsaigle
Copy link
Contributor Author

Are you asking what happens if the Email equals the password? There should be an error condition for that. You can test and see.

@lingma
Copy link
Contributor

lingma commented Jan 28, 2020

Are you asking what happens if the Email equals the password? There should be an error condition for that. You can test and see.

No, I am wondering what if the password is email0

@lingma
Copy link
Contributor

lingma commented Jan 28, 2020

The proposed code could solve this problem. But I did not test.

@johnsaigle
Copy link
Contributor Author

No, I am wondering what if the password is email0

I don't understand what problem you are trying to address here.

@lingma
Copy link
Contributor

lingma commented Jan 28, 2020

I am wondering what if the password is the same as the Email, only add a 0 or whatever, the program won't detect anything.

@johnsaigle
Copy link
Contributor Author

johnsaigle commented Jan 28, 2020

The Password class is self-validating and contains a reference to the Zxcvbn library which evaluates password-strength. We're using this library to evaluate passwords instead of creating ad-hoc password rules for LORIS.

A benefit of this is that the modules don't have to be responsible for checking passwords. E.g. Passwords can be changed in the login module as well as in user_accounts. Instead of duplicating these checks, it's all done in Password.class.inc.

@driusan
Copy link
Collaborator

driusan commented Jan 29, 2020

I just had a look at the code, and the Zxcvbn only seems to check the complexity of the input in the Password class. It doesn't validate that the blacklisted things that the library doesn't know about (ie. the email address) aren't a substring as far as I can tell.

@johnsaigle
Copy link
Contributor Author

That's true; it's not a feature we discussed. The code has only ever checked if the Password === Email as far as I know.

We can add that in another PR?

@driusan
Copy link
Collaborator

driusan commented Jan 29, 2020

Sure, I just meant that that's what @lingma seems to be saying that you're misinterpreting..

@driusan driusan merged commit 2b2963a into aces:master Jan 29, 2020
@ridz1208 ridz1208 added this to the 23.0.0 milestone Jan 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: UI PR or issue related to the user interface
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[user_accounts] new user
5 participants